Shortly noted before I forget again. Values in uppercase and prefixed by a $ denote placeholder values, which could differ on your machine.

First, check your version of GPG:

$ gpg --version
gpg (GnuPG) 2.2.17
libgcrypt 1.8.3
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: $HOME/.gnupg
Supported algorithms:
	Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
	Compression: Uncompressed, ZIP, ZLIB, BZIP2

Then, create a new key:

$ gpg --full-generate-key
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at $DATE_IN_FUTURE
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Your name
Email address:
You are using the 'utf-8' character set.
You selected this USER-ID:
    "Your name <>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

What happened here? The wizard asks you first about the purpose of the key. RSA stands for Rivest–Shamir–Adleman and describes an algorithm to generate cryptographic values. DSA is the Digital Signature Algorithm, but not that popular any more.

I want to use the key for encrypting emails, thus I pick 1.

The bit length should be minimum of 2046. The further the technology advances, the harder to crack keys with a longer length. So I go for 4096 to be somewhat future-proof.

You can decide to let the key expire. Some people do that, some don't. Since I want to somewhat limit the harm a lost key could do, I limit it to five years. This way I have to create a new key once the old expired. Keep in mind, that you will loose all the trust put in this key once it expired.

Now enter the name and email you want to be publicly available to this key. Make sure, the character set is utf-8.

Double-check everything and then confirm the input. Now, go do some browsing to create some entropy and let your computer do the work.

gpg: Key $GPG_ID was marked as ultimatively trustworthy.
gpg: Directory `$HOME/.gnupg/openpgp-revocs.d' created
gpg: Revocation cert was saved as '$HOME.gnupg/openpgp-revocs.d/$KEY.rev'.
Public and secret key created and signed.

pub   rsa4096 YYYY-MM-DD [SC] [expires: YYYY-MM-DD]
      uid                      Your name <>
      sub   rsa4096 YYYY-MM-DD [E] [expires: YYYY-MM-DD]

Now, you need to upload the key so others can contact you. Since the key servers sync their keys among each other, it doesn't matter much to which key server you are sending your keys. I am using Seahorse for key management.

But I want to show you how to do it on the command line here:

$ gpg --send-keys $GPG_ID
gpg: sending key $GPG_ID to hkp server $HKP_SERVER

You can find my key now: 93BE0EAD9D091300.